1. Field of the Invention
The present invention is directed to technology for obtaining and maintaining real time status information for electronic certificates.
2. Description of the Related Art
Electronic certificates have become a popular mechanism for establishing secure communications over a network. Certificates contain information about the certificate holder, including a public key for performing encryption. The certificate holder maintains a secret private key that corresponds to the public key. Members of the public employ the public key to encrypt communications sent to the certificate holder, and the certificate holder uses the private key to decrypt the encrypted communications. By exchanging certificates, individuals can share public keys for engaging in secure network communications. A certificate typically expires after a period of time or can be revoked. The certificate's status, however, cannot be provided in the certificate. The status is a dynamic value that changes over time between different values, such as valid, expired and revoked.
In organizations, such as companies, many individuals have electronic certificates for carrying on secure communications inside and outside of the organization. In some instances, affiliates outside the organization have certificates for engaging in secure communications with the organization. This results in a large number of organization related certificates. When an individual imports or views a certificate of another person, the individual is unaware of the certificate's status. In order to obtain the certificate's real time status, the individual must issue a real time status request to the certificate issuing authority. Requiring an organization's many members and affiliates to make such queries is inefficient and wastes organizational resources.
With the growth of networking and other information technologies, Identity Systems have become popular for managing organizations' identity information. In general, an Identity System provides for the creation, removal, editing and other management of identity information stored in various types of data stores. The identity information pertains to users, groups, organizations and things. For each entry in the data store, a set of attributes is stored. For example, the attributes stored for a user may include a name, address, employee number, telephone number, email address, user ID and password. The Identity System can also manage access privileges that govern the subject matter an entity can view, create, modify or use in the Identity System.
Traditional Identity Systems, however, have not incorporated the capability to provide real time status for a large volume of certificates in an organization. One tool available to an Identity System is a certificate revocation list published by a certificate issuing authority. The list provides status for revoked certificates at predefined time intervals, such as a day or hour. The certificate revocation list, however, cannot provide real time status. Other available tools include real time protocols that allow an Identity System to retrieve real time certificate status. Real time protocols, however, cannot respond to numerous status requests in real time, such as the hundreds of requests that may be required by an organization.
It is desirable for an Identity System to provide real time certificate status for a large volume of certificates.